Anytime you associate a group policy to a container it is referred to as linking it. in this case I wonder if you are talking about the difference between creating a new group policy for a container and "linking" to a group policy that exists elsewhere. For example, if I want to apply a policy at the Site level, I can go to Active Directory Sites and Services and create a new policy at the Site level, or I could click "add' (link if you will) a group policy that has already been created elsewhere, perhaps for a particular OU, or at the domain level, and that policy would now be in effect at the site level and at whatever level it was originally created. You would then have two sets of active policies using only one group policy object.

When it comes to enabled/disabled policies, remember that you can disable the computer part of a policy while leaving the user half enabled. If you create a policy that only applies computer based settings, the machines that are affected by that policy will still read both halves of the policy when applying it. If you disable the user half, then only the Computer half will be read. You can shave some time off of the boot process by disabling unused halves of group policies, although you would have to be in a large environment with lots of policies configured for there to be a noticeable reduction in boot time.

0

darovitzAuthor Commented: 2006-11-21

One quick question. Do you have to link enable every policy at the OU level for each OU. I find myself going into each OU and adding the same group policy.. seems kind of redundant.

I know the default domain policy is at the top and carries down to all my OUs